11 comments

[ 5.2 ms ] story [ 39.5 ms ] thread
Many thanks for posting this! Only the other day I was evaluating Noir for a webapp and the lack of a capable user auth capability was the main blocker...

    GET /resend-activation?email=:email
    GET /email-changes/cancel
    GET /email-changes/resend-confirmation
Shouldn't these all be POST? GETs are supposed to not have side effects.
You're probably right. I'll change that.

Apart from the REST argument, the best single reason I can come up with to justify changing these to use POST is that otherwise it's possible to cancel an email change or resend a confirmation of a logged in user by having him load a page containing an image tag like <img src="url-to-cancel-email-change" /> . This is the same reason for which noir-auth-app handles logouts through POST instead of GET. Not really dangerous I guess, annoying at most, but worth to fix it anyway.

By the way, in twitter.com (and I guess a lot of other not so popular websites) these are handled as GETs, and so they're subject to this kind of "attacks".

Thanks for raising the issue.

I suppose these particular paths aren't as exploitable as a logout (which isn't a GET on Twitter, either, it seems), but what about, e.g., Chrome's link prefetching? I'm not sure how it would know not to prefetch, for instance, the "cancel email confirmation" link.

Anyway, I'm teaching myself Clojure right now and this looks like great sample code to study, so thank you for sharing it.

Any apps like this which use a traditional DB (mysql or pg) ? Want to see how a relational model translates to clojure.
Looks really nice, authentication is something many are doing wrong and it's important to have good templates

One question, why not use ensureIndex ? is there a real performance running it once it's created?